diff --git a/.cvsignore b/.cvsignore index 2c0f143..f6dcb16 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -comix-3.6.4.tar.gz +comix-3.6.5.tar.gz diff --git a/comix-3.6.4-command-argument-closure.patch b/comix-3.6.4-command-argument-closure.patch deleted file mode 100644 index ec8d2a3..0000000 --- a/comix-3.6.4-command-argument-closure.patch +++ /dev/null @@ -1,158 +0,0 @@ ---- comix-3.6.4/comix.debug 2007-05-27 01:30:16.000000000 +0900 -+++ comix-3.6.4/comix 2008-04-02 20:11:53.000000000 +0900 -@@ -44,6 +44,9 @@ - import pwd - import cPickle - -+import subprocess -+import string -+ - try: - import pygtk - pygtk.require('2.0') -@@ -6277,9 +6280,12 @@ - archive = tarfile.open(path, 'r') - files = archive.getnames() - elif type == 'rar': -+ #files = \ -+ #os.popen(self.rar + ' vb "' + path + -+ #'"').readlines() - files = \ -- os.popen(self.rar + ' vb "' + path + -- '"').readlines() -+ subprocess.Popen([self.rar, 'vb', path], -+ stdout=subprocess.PIPE).communicate()[0].splitlines() - files = [file.rstrip('\n') for file in files] - cover = None - files.sort() -@@ -6302,9 +6308,20 @@ - break - if cover != None: - if type == 'rar': -- os.popen(self.rar + ' p -inul -- "' + path + '" "' + -- cover + '" > "' + thumb_dir + -- '/temp" 2>/dev/null', "r").close() -+ #os.popen(self.rar + ' p -inul -- "' + path + '" "' + -+ #cover + '" > "' + thumb_dir + -+ #'/temp" 2>/dev/null', "r").close() -+ filen = thumb_dir + '/temp' -+ try: -+ os.remove(filen) -+ except: -+ pass -+ fp = open(filen, 'w') -+ fdp = fp.fileno() -+ p = subprocess.Popen( -+ [self.rar, 'p', '-inul', '--', path, -+ cover ], stdout = fdp).wait() -+ fp.close() - image = Image.open(thumb_dir + '/temp') - os.remove(thumb_dir + '/temp') - elif type == 'zip': -@@ -8733,8 +8750,10 @@ - # ======================================================= - elif archive_type == 'rar': - if self.rar: -- os.popen( -- self.rar + ' x "' + src_path + '" "' + dst_path + '"') -+ #os.popen( -+ #self.rar + ' x "' + src_path + '" "' + dst_path + '"') -+ subprocess.Popen( -+ [self.rar, 'x', src_path, dst_path],stdout=sys.stdout).wait() - else: - self.statusbar.push(0, - _('Could not find the unrar executable. Please install it if you wish to open RAR archives.')) -@@ -9168,9 +9187,37 @@ - self.are_you_sure_dialog.hide() - if response != -5: - return -- os.popen(self.jpegtran + ' -copy all -trim ' + operation + -- ' -outfile "' + self.file[self.file_number] + '" "' + -- self.file[self.file_number] + '"') -+ #os.popen(self.jpegtran + ' -copy all -trim ' + operation + -+ #' -outfile "' + self.file[self.file_number] + '" "' + -+ #self.file[self.file_number] + '"') -+ op = operation.split() -+ op_len = len(op) -+ -+ i=1 -+ filen = self.file[self.file_number] -+ while (1): -+ tmp_file = filen + '.tmp' + 'z' * i -+ if os.path.exists(tmp_file): -+ i += 1 -+ else: -+ break -+ -+ # Ugly hack :( -+ if op_len == 2: -+ p = subprocess.Popen( -+ [self.jpegtran, '-copy', 'all', '-trim', op[0], op[1], -+ '-outfile', tmp_file, filen], -+ stdin=sys.stdin, stdout=sys.stdout) -+ else: -+ p = subprocess.Popen( -+ [self.jpegtran, '-copy', 'all', '-trim', op[0], -+ '-outfile', tmp_file, filen], -+ stdin=sys.stdin, stdout=sys.stdout) -+ p.wait() -+ if p.returncode == 0: -+ shutil.copymode(filen, tmp_file) -+ shutil.copy(tmp_file, filen) -+ os.remove(tmp_file) - try: - uri = 'file://' + urllib.pathname2url(self.file[self.file_number]) - thumb_path = md5.new() ---- comix-3.6.4/mime/comicthumb.debug 2007-05-27 01:30:16.000000000 +0900 -+++ comix-3.6.4/mime/comicthumb 2008-04-02 21:11:10.000000000 +0900 -@@ -22,6 +22,9 @@ - import StringIO - import re - import shutil -+ -+import subprocess -+ - try: - import Image - except: -@@ -138,19 +141,35 @@ - if not rar: - print "You must install unrar or rar to thumbnail RAR archives." - sys.exit(1) -- rarfiles = os.popen('%s vb "%s"' % (rar, compressed_file)).readlines() -+ #rarfiles = os.popen('%s vb "%s"' % (rar, compressed_file)).readlines() -+ rarfiles = subprocess.Popen([rar, 'vb', compressed_file], -+ stdout=subprocess.PIPE).communicate()[0].splitlines() - for i in range(len(rarfiles)): - rarfiles[i] = rarfiles[i].rstrip("\n") - rarfiles.sort() - cover = guessCover(rarfiles) - if cover: -- picture = StringIO.StringIO(os.popen('%s p -inul -- "%s" "%s"' -- % (rar, compressed_file, cover), "r").read()) -+ #picture = StringIO.StringIO(os.popen('%s p -inul -- "%s" "%s"' -+ #% (rar, compressed_file, cover), "r").read()) -+ picture = StringIO.StringIO(subprocess.Popen( -+ [rar, 'p', '-inul', '--', compressed_file, cover], -+ stdout=subprocess.PIPE).stdout.read()) - else: - subarchive = first_archive(rarfiles) - if subarchive: -- os.popen('%s p -inul -- "%s" "%s" > "/tmp/comicthumb/archive%d"' -- % (rar, compressed_file, subarchive, depth), "r") -+ #os.popen('%s p -inul -- "%s" "%s" > "/tmp/comicthumb/archive%d"' -+ #% (rar, compressed_file, subarchive, depth), "r") -+ filen = "/tmp/comicthumb/archive%d"%(depth) -+ try: -+ os.remove(filen) -+ except: -+ pass -+ fp = open(filen, 'w') -+ fdp = fp.fileno() -+ subprocess.Popen( -+ [rar, 'p', '-inul', '--', compressed_file, subarchive], -+ stdout = fdp).wait() -+ fp.close() - return get_image("/tmp/comicthumb/archive%d" % (depth), - depth + 1) - return picture diff --git a/comix-3.6.4-tmpfile.patch b/comix-3.6.4-tmpfile.patch deleted file mode 100644 index e25cbf3..0000000 --- a/comix-3.6.4-tmpfile.patch +++ /dev/null @@ -1,163 +0,0 @@ ---- comix-3.6.4/comix.tmpfile 2008-04-03 01:23:35.000000000 +0900 -+++ comix-3.6.4/comix 2008-04-03 01:23:35.000000000 +0900 -@@ -47,6 +47,8 @@ - import subprocess - import string - -+import tempfile -+ - try: - import pygtk - pygtk.require('2.0') -@@ -257,6 +259,8 @@ - window_height = 0 - colour_adjust_signal_kill = False - colour_adjust_dialog_displayed = False -+ -+ _tmp_dir = None - - def close_application(self, widget, event=None): - -@@ -270,8 +274,8 @@ - self.prefs['page of last file'] = self.file_number - if os.path.exists(self.base_dir): - shutil.rmtree(self.base_dir) -- if len(os.listdir('/tmp/comix')) == 0: -- shutil.rmtree('/tmp/comix') -+ if len(os.listdir(self._tmp_dir)) == 0: -+ shutil.rmtree(self._tmp_dir) - self.exit = True - - # ======================================================= -@@ -369,9 +373,9 @@ - # ======================================================= - if os.path.exists(self.base_dir): - shutil.rmtree(self.base_dir) -- if os.path.isdir('/tmp/comix'): -- if len(os.listdir('/tmp/comix')) == 0: -- shutil.rmtree('/tmp/comix') -+ if os.path.isdir(self._tmp_dir): -+ if len(os.listdir(self._tmp_dir)) == 0: -+ shutil.rmtree(self._tmp_dir) - - - # ======================================================= -@@ -8027,7 +8031,7 @@ - return False - - # We don't want to open files from our selves. -- if selection.data.startswith('file:///tmp/comix/'): -+ if selection.data.startswith('file://' + self._tmp_dir): - return - - uri = selection.data.strip() -@@ -10543,15 +10547,20 @@ - # The dir is /tmp/comix/ where is 1 or higher - # depending on the number of Comix sessions opened. - # ======================================================= -- if not os.path.exists('/tmp/comix/'): -- os.makedirs('/tmp/comix/') -- os.chmod('/tmp/comix/', 0700) -+ #if not os.path.exists('/tmp/comix/'): -+ # os.makedirs('/tmp/comix/') -+ # os.chmod('/tmp/comix/', 0700) -+ -+ self._tmp_dir = tempfile.mkdtemp(prefix='comix.', suffix=os.sep, -+ dir = '/tmp') -+ self._tmp_dir += "/" -+ - dir_number = 1 - while 1: -- if not os.path.exists('/tmp/comix/' + str(dir_number)): -- os.mkdir('/tmp/comix/' + str(dir_number)) -- os.chmod('/tmp/comix/' + str(dir_number), 0700) -- self.base_dir = '/tmp/comix/' + str(dir_number) + '/' -+ if not os.path.exists(self._tmp_dir + str(dir_number)): -+ os.mkdir(self._tmp_dir + str(dir_number)) -+ os.chmod(self._tmp_dir + str(dir_number), 0700) -+ self.base_dir = self._tmp_dir + str(dir_number) + '/' - break - dir_number += 1 - ---- comix-3.6.4/mime/comicthumb.tmpfile 2008-04-03 01:23:35.000000000 +0900 -+++ comix-3.6.4/mime/comicthumb 2008-04-03 01:29:52.000000000 +0900 -@@ -24,6 +24,7 @@ - import shutil - - import subprocess -+import tempfile - - try: - import Image -@@ -51,9 +52,13 @@ - sys.exit(1) - - # temp directory needed for multiple archives --if not os.path.exists('/tmp/comicthumb/'): -- os.makedirs('/tmp/comicthumb/') -- os.chmod('/tmp/comicthumb/', 0700) -+#if not os.path.exists('/tmp/comicthumb/'): -+# os.makedirs('/tmp/comicthumb/') -+# os.chmod('/tmp/comicthumb/', 0700) -+_tmp_dir = tempfile.mkdtemp(prefix='comixthumb', suffix=os.sep, -+ dir = '/tmp') -+_tmp_dir += "/" -+ - - # return the first image in the list - def first_image (filelist): -@@ -104,10 +109,10 @@ - else: - subarchive = first_archive(zipfiles) - if subarchive: -- output = open("/tmp/comicthumb/archive%d" % (depth), "wb") -+ output = open( _tmp_dir + "archive%d" % (depth), "wb") - output.write(zip.read(subarchive)) - output.close() -- return get_image("/tmp/comicthumb/archive%d" % (depth), -+ return get_image( _tmp_dir + "archive%d" % (depth), - depth + 1) - elif tarfile.is_tarfile(compressed_file): - TYPE = TYPE or 'cbt' -@@ -122,10 +127,10 @@ - else: - subarchive = first_archive(tarfiles) - if subarchive: -- output = open("/tmp/comicthumb/archive%d" % (depth), "wb") -+ output = open( _tmp_dir + "archive%d" % (depth), "wb") - output.write(tar.extractfile(subarchive).read()) - output.close() -- return get_image("/tmp/comicthumb/archive%d" % (depth), -+ return get_image( _tmp_dir + "archive%d" % (depth), - depth + 1) - elif open(compressed_file, 'rb').read(4) == 'Rar!': - TYPE = TYPE or 'cbr' -@@ -159,7 +164,7 @@ - if subarchive: - #os.popen('%s p -inul -- "%s" "%s" > "/tmp/comicthumb/archive%d"' - #% (rar, compressed_file, subarchive, depth), "r") -- filen = "/tmp/comicthumb/archive%d"%(depth) -+ filen = _tmp_dir + "archive%d"%(depth) - try: - os.remove(filen) - except: -@@ -170,7 +175,7 @@ - [rar, 'p', '-inul', '--', compressed_file, subarchive], - stdout = fdp).wait() - fp.close() -- return get_image("/tmp/comicthumb/archive%d" % (depth), -+ return get_image( _tmp_dir + "archive%d" % (depth), - depth + 1) - return picture - -@@ -226,8 +231,8 @@ - exit_flag = 1 - - # remove tempory stuff --if os.path.isdir('/tmp/comicthumb/'): -- shutil.rmtree('/tmp/comicthumb/') -+if os.path.isdir(_tmp_dir): -+ shutil.rmtree(_tmp_dir) - - # and exit - sys.exit(exit_flag) diff --git a/comix.spec b/comix.spec index 0a54240..bd28806 100644 --- a/comix.spec +++ b/comix.spec @@ -1,14 +1,12 @@ Name: comix -Version: 3.6.4 -Release: 6%{?dist} +Version: 3.6.5 +Release: 1%{?dist} Summary: A user-friendly, customizable image viewer Group: Amusements/Graphics URL: http://comix.sourceforge.net/ License: GPLv2+ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz -Patch0: comix-3.6.4-command-argument-closure.patch -Patch1: comix-3.6.4-tmpfile.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch @@ -33,8 +31,6 @@ uses GTK+ through the PyGTK bindings. %prep %setup -q -%patch0 -p1 -b .CVE-2008-1568 -%patch1 -p1 -b .tmpfile %build %{__sed} -i -e 's|shutil.copy|shutil.copy2|' install.py @@ -136,9 +132,13 @@ exit 0 %changelog +* Thu Jul 10 2008 Mamoru Tasaka - 3.6.5-1 +- 3.6.5 (2 patches applied upstream) + * Thu Apr 3 2008 Mamoru Tasaka - 3.6.4-6 - Second patch for bug 430635 Use tempfile.mkdtemp() for multiple user race condition + (tagged as CVE-2008-1796) * Wed Apr 2 2008 Mamoru Tasaka - 3.6.4-4 - First patch for bug 430635 diff --git a/sources b/sources index a53259c..b3f502c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1ece2cde0057abf5913b0f2933d839ab comix-3.6.4.tar.gz +4f6210ee04b5b01cb37ab58638278a03 comix-3.6.5.tar.gz